Last week, CNET reported on the White House's proposed cyber security law "[that is] designed to force companies to do more to fend off cyberattacks".
The law seems to address shortcomings in critical infrastructure security moreso than private industry though there does appear to be language that requires the disclosure of security breaches by private companies. this approach, presumably, would provide consumers with information regarding a business' security policy and could affect the choices consumers make. This non-regulatory position adopted by the White House is interesting because as it echoes the Canadian Radio and Television Commission's (CRTC) position of letting market forces shape the industry.
Is a non-regulatory approach appropriate? Would the US Government randomly audit companies to determine their level of security? Would that be sufficient to force companies to do more to ensure security? Probably not, given the number of companies in t he US and the rate at which new vulnerabilities are discovered. Requiring companies to disclose breaches could work if market forces are adequately informed.
It will be interesting to see how this legislation is applied to the cloud and which of the parties, vendor or consumer, will be held accountable for maintaining appropriate levels of security given that most contracts currently put that burden squarely on the shoulders of consumers.
The fact that legislation is even required to force companies to maintain adequate cyber security systems begs the question: wouldn't companies WANT to protect their assets anyway?!
No comments:
Post a Comment